From owner-svn-ports-head@freebsd.org Sun Jul 29 06:53:07 2018 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A8A6F104DB07; Sun, 29 Jul 2018 06:53:07 +0000 (UTC) (envelope-from se@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5BC5674459; Sun, 29 Jul 2018 06:53:07 +0000 (UTC) (envelope-from se@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3CC9C12601; Sun, 29 Jul 2018 06:53:07 +0000 (UTC) (envelope-from se@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w6T6r7qq054526; Sun, 29 Jul 2018 06:53:07 GMT (envelope-from se@FreeBSD.org) Received: (from se@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w6T6r6xJ054525; Sun, 29 Jul 2018 06:53:06 GMT (envelope-from se@FreeBSD.org) Message-Id: <201807290653.w6T6r6xJ054525@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: se set sender to se@FreeBSD.org using -f From: Stefan Esser Date: Sun, 29 Jul 2018 06:53:06 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r475628 - head/security/pwned-check/files X-SVN-Group: ports-head X-SVN-Commit-Author: se X-SVN-Commit-Paths: head/security/pwned-check/files X-SVN-Commit-Revision: 475628 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Jul 2018 06:53:07 -0000 Author: se Date: Sun Jul 29 06:53:06 2018 New Revision: 475628 URL: https://svnweb.freebsd.org/changeset/ports/475628 Log: Add support for the remote query API. This obviates the need to download the > 10 GB pawned password hash list, which requires nearly 20 GB after decompression. The API does not transfer the queried password or its full SHA1 hash to the server, but only the first 5 characters of the hash. This allows to retrieve the full password hashes that match that prefix (typically in the order of 500) and then to check whether the password to test matches any of the hashes returned. Approved by: antoine (implicit) Modified: head/security/pwned-check/files/pwned-check.1.in head/security/pwned-check/files/pwned-check.sh.in Modified: head/security/pwned-check/files/pwned-check.1.in ============================================================================== --- head/security/pwned-check/files/pwned-check.1.in Sun Jul 29 04:31:44 2018 (r475627) +++ head/security/pwned-check/files/pwned-check.1.in Sun Jul 29 06:53:06 2018 (r475628) @@ -10,7 +10,7 @@ .Sh DESCRIPTION The .Nm -utility checks the passwords piped in via standard input (one per line) +utility checks the passwords piped in via standard input (one per line) against a huge database of passwords that are known to have been stolen in data breaches. .Pp @@ -22,6 +22,15 @@ on standard output and the exit status of .Nm is set to 1. No output is generated for passwords not found in the database. +.Pp +The database can be downloaded to a local directory or it can be queried +by a method that does not make the hash queried known to the remote +server. +The remote query is performed if the pawned password database has not +been fetched and stored on the local system. +While the remote accesses are not as fast as a local lookup, they will +query an always up-to-date database and allow to avoid the download and +storage of this huge database. .Pp Instead of plain passwords, SHA1 hashes of passwords may be supplied. Matches will be reported, but there is no provision to report the Modified: head/security/pwned-check/files/pwned-check.sh.in ============================================================================== --- head/security/pwned-check/files/pwned-check.sh.in Sun Jul 29 04:31:44 2018 (r475627) +++ head/security/pwned-check/files/pwned-check.sh.in Sun Jul 29 06:53:06 2018 (r475628) @@ -82,14 +82,20 @@ exitcode=0 lookup () { - local hash="$1" - look "$hash" pwned-passwords*.txt > /dev/null + local hash=$(echo "$1" | tr 'a-z' 'A-Z') + if [ "$USEFILES" = yes ]; then + look "$hash" pwned-passwords*.txt > /dev/null + else + expected=${hash#?????} + prefix=${hash%$expected} + fetch -q -o - https://api.pwnedpasswords.com/range/$prefix 2>/dev/null | grep -i "^$expected:" >/dev/null + fi } checkpw () { local pwd="$1" - local hash=$(echo -n "$pwd" | sha1 | tr 'a-z' 'A-Z') + local hash=$(echo -n "$pwd" | sha1) if lookup "$hash"; then echo "$pwd" exitcode=1 @@ -102,8 +108,10 @@ checkpw () } # Main program -cd "$DBDIR" || errexit "Database directory '$DBDIR' not found." export LC_COLLATE=C +if cd "$DBDIR" && ls pwned-passwords*.txt; then + USEFILES=yes +fi >/dev/null 2>&1 if [ "$#" -gt 0 ]; then if [ "$1" = "-u" ]; then